Newsroom

Unscheduled TSR 10 August 2021

cPanel Perl Encode.pm CVE-2021-36770

Background Information

On August 9th 2021, Perl announced a vulnerability in the Encode.pm perl module version 3.05. 

Impact

According to Perl development:

This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one “require”.

The vulnerability was introduced in Encode v3.05

Releases

Versions greater than or equal to the versions listed below include the updated Encode.pm perl module.

11.94 – 11.94.0.15
11.96 – 11.96.0.15
11.98 – 11.98.0.4

How to determine if your server is up-to-date

For versions 94 and greater, the previously updated RPMs provided by cPanel will contain a changelog entry noting the applied fixes.
You can check for the changelog entry in versions 94 and 96 with the following command:

rpm -q --changelog cpanel-perl-532-Encode | grep "Encode 3.12"

For version 98 you need the following command (note the lowercase ‘encode’)

rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12"

The output for any version should resemble below:

- Update patches: Encode 3.12
- Update from upstream: Encode 3.12

What to do if you are not up-to-date

If your server is not running one of the above versions, update immediately.

To upgrade your server, navigate to WHM’s  Upgrade to Latest Version  interface ( Home >> cPanel >> Upgrade to Latest Version ) and click Click to Upgrade.

To upgrade cPanel from the command line, run the following commands:

/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list

For versions 94 and 96, verify the updated Perl RPM was installed:

rpm -q --changelog cpanel-perl-532-Encode | grep "Encode 3.12"

For version 98 you need the following command (note the lowercase ‘encode’)

rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12"

The output for any version should resemble below:

- Update patches: Encode 3.12
- Update from upstream: Encode 3.12

Additional Information

Credit: This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770